Japanese Edition

SNS Advisory No.92
HANAKO Document Information Buffer Overflow Vulnerability

Discovered on:23 Oct 2006
Released on:05 Dec 2006

Severity:
Medium

Overview:
Hanako has a vulnerability in handling string length specified in the document information. This could result in a buffer overflow condition and arbitrary code could be executed.

Problem Description:
In the Hanako, the document information including "Keyword" and "Title" can be specified in the created document.

The specified string length, however, can not be handled properly due to a vulnerability in handling the document information.

The buffer overflow occurs when any malformed document data is loaded to the Hanako and the user is made to display the document information. This could eventually result in execution of arbitrary code.

Affected Products and Versions:
Hanako 2004
Hanako 2005
Hanako 2006
Hanako Viewer 1.0

Solution:
The vulnerability can be fixed by installing the security update module, which is available at:
http://www.justsystem.co.jp/info/pd6005.html

Discovered by:
Yuu Arai (LAC)

Thanks to:

This LAC Advisory is released in coordination with Information-technology Promotion Agency, Japan (IPA) and Japan Computer Emargency Response Team Coordination Center (JPCERT/CC.)

Disclaimer:
The information contained in this advisory may be revised without prior notice and is provided as is. Users shall take their own risk when taking any actions following reading this advisory. Little eArth Corporation Co., Ltd. shall not be held responsible  for any claims, losses or damages caused by the use of information provided here.

This advisory is available at the following URL:

http://www.lac.co.jp/english/advisory/92_e.html

Japanese Edition